For the first lab exercise.
1. Go to the /usr directory and create a log directory in /usr directory, run
sniffer mode of snort on Machine B i.e. H3 (the machine which has snort installed) by typing:
snort -edv -l ./log
Ping machine B, i.e. H3, from machine A, which is named Router or H4
(the machine which has Netpoke installed), stop snort after you finish ping.
Open the log file and take a look at what you get.
Repeat the above operations but with -v, -dv options instead of -edv, and
see what's the difference among these options.
2. Run NIDS mode of snort on Machine B by typing:
snort -c ./rules/snort.conf -l ./log
On machine A, go to netpoke's directory /usr/NetPoke/, and use netpoke to send
the 4 DARPA datasets (e.g. LLS_DDOS_2.0.2-inside.dump) to Machine B by type in:
./netpoke -d eth1 dumpfilename
The dumpfilename is the name of the dataset file.
Stop the netpoke session on Machine A after 2 minutes for each dataset. Backup
the alert files as alert.1dmz, alert.1inside, alert.2dmz, alert.2inside in the log directory at Machine B for each dataset. Show TA
your four alert log files.
3. Type "./netpoke -d eth1 -T dumpfilename" to see when packets are sent out.
4. Type "./netpoke -d eth1 -s 3 filename" and run snort in sniffer mode, which is mentioned in exercise 1,
on the other machine, see what's the difference from the run with normal speed, i.e. with '-s 1' option.
For the second lab exercise.
1.
Use "-r" "-c" and "-A fast" option in snort, using the default rules, analyze the 4
datasets. In /usr directory, type in:
snort -r ./dumpfilename -c ./rules/snort.conf -A fast -l ./log
Backup the /usr/log/alert file after each run, and write down the number of
alerts detected in each dataset.
Backup the files as: alert1dmz, alert1inside,alert2dmz,alert2inside.
Edit the 4 alert log files to add the number of alerts at the first line of the log information.
You may need to use the "-N" option to disable the function of packet logging to
increase the analyzing speed for the 2 inside datasets because they will take much
more time to analyze than the 2 dmz datasets.
2.
Backup the snort.conf file to snort.conf.bak.
Edit the snort.conf file, remove all the rule files by adding "#" before the
"include ..." lines at the end of snort.conf file except for the "include telnet.rules".
Repeat step 1 and save the 4 alert log files together with the number of alerts
detected.
Save the files as: alert1dmzmod, alert1insidemod, alert2dmzmod, alert2insidemod
You can change the rules in snort.conf file in some other way and see what will
happen.
3.
Submit your 8 alert log files via wolfware (Ask the TA for the PC with outside access).
4.*IMPORTANT*:
Clear the log directory, restore the snort.conf.bak to snort.conf, and clear all the alert
log files you generated.